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DETAILED ACTION 
Continued Examination Under 3 7 CFR 1.114 

A request for continued examination under 37 CFR 1.1 14, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 09/08/05 has been entered. 

Claim Rejections - 35 JJSC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a \A'hole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 27-47 are rejected under 35 U.S.C 103(a) as being unpatentable over Williams 
(U.S. Patent 5,996,077) in view of O'Brien et al. (6,658,571 Bl). 

Ill reference to claim 27, Williams discloses a hierachical arrangement of security devices 
for securing a protected netv^ork through a plurality of security devices (abstract). The device 
consists of a legacy firewall (security device A, principle device) connected to each of a plurality 
of communication interfaces (public and protected network) and executing at least on inspection 
module is software code configured to carry out an operation of providing protocol information 
for a particular protocol to said firewall core (column 5 line 53 to column 6 line 6); and a new 
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inspection module inserted into an operating memory of said firewall core wherein said new 
inspection module is software code configured to carry out an operation of providing protocol 
information for a particular protocol to said firewall core (column 4 lines 1-28 in combination 
with Fig. 2). 

Although Williams discloses the next generation of firewall coexisting with the legacy 
firewall, Williams does not expressly disclose the new inspection module inserted during 
operation of said firewall core. 

However, O'Brien disclose the separate subsystem consisting of at least one inspection 
module coupled for communication to the user space, said inspection module configured to 
provide protocol inspection of data (column 3 lines 39-56), said inspection module is further 
configured to be installed during the operation of the system (column 3 lines 56-64). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use security modules as in O'Brien to provide protocol inspection in the system 
of Williams. One of ordinary skill in the art would have been motivated to do this because 
security information that is application and resource specific which would reduce the damage 
that malicious software can cause in the event that malicious software is accidentally executed 
without additional hardware, or modification to the individual software apphcations or the 
underlying operating system. 

In reference to claim 32, Williams discloses a hierarchical arrangement of security 
devices for securing a protected network through a plurality of security devices (abstract). A 
communication unit wherein said communication unit is operatively coupled to each one of 
communication interfaces connected to said network (parts 101 and 102 Fig. 2). A firewall core 
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(principle device) and one of said at least one inspection modules (security devices) and wherein 
each said at least one inspection module is software code configured to carry out the operation of 
providing protocol information and to inspect data packets of a particular protocol (column 4 
lines 1-28 in combination with Fig. 2). 

Although Williams discloses the communication to the security devices (Fig 2.) 
Williams does not disclose a set of call back functions, retrieved from said inspection module, 
each function providing communication between the firewall core and the inspection module. In 
addition the firewall core (principle device) disclosed by Williams is not further configured to 
monitor memory to determine when a new inspection module is loaded into said memory. 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 1 5-27). In addition the system of O'Brien is configured to monitor a memory to 
determine when a new inspection module is loaded into said memory (column 5 lines 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Williams. One of ordinary skill in the art would have been motivated 
to do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 
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In reference to claim 36, Williams discloses a hierachical arrangement of security devices 
for securing a protected network tlirough a plurality of security devices (abstract). The 
inspection unit is configured to inspect and authorize data packets (column 4 lines 62-65); a 
function table which corresponds to a connection table (column 7 lines 3 1-36). 

Although Williams discloses the communication to the security devices (Fig 2.) and a 
connection table, Williams does not disclose a set of call back functions, retrieved from said 
inspection module, each function providing communication between the firewall core and the 
inspection module. In addition the firewall core (principle device) disclosed by Williams is not 
further configured to monitor memory to determine when a new inspection module is loaded into 
said memory. 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 1 5-27). In addition the system of O'Brien is configured to monitor a memory to 
determine when a new inspection module is loaded into said memory (column 5 lines 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Williams. One of ordinary skill in the art would have been motivated 
to do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 
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In reference to claims 39 and 43, Williams discloses a hierachical arrangement of 
security devices for securing a protected network through a plurahty of security devices 
(abstract). The inspection unit is configured to inspect and authorize data packets (column 4 
lines 62-65). 

O'Brien discloses a) loading an inspection module comprising new protocol inspection 
knowledge and a fianction table having a set of callback functions (column 5 lines 1-27); to b) 
notifying the security master of said inspection module (column 5 lines 12-27); and c) 
communicating said set of callback functions to the security master (column 5 lines 27-45). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Williams. One of ordinary skill in the art would have been motivated 
to do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claim 28, wherein the firewall core is configured to monitor said operation 
memory for said new inspection module. 

O'Brien is configured to monitor a memory to determine when a new inspection module 
is loaded into said memory (column 5 lines 28-46). 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
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inspection in the system of Williams. One of ordinary skill in the art would have been motivated 
to do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claims 29 and 46, wherein said inspection module fiirther comprises 
callback functions, said functions communicated to said firewall core and providing 
communication between said firewall core and said inspection module. 

Williams does not expressly disclose the use of callback functions which communicate to 
the firewall core and providing communication between the firewall core and said inspection 
module. 

O'Brien discloses a set of callback functions, retrieved from said inspection module, each 
said function providing communication between the security master and said inspection module 
(column 5 lines 15-27) 

At the time the invention was made, it would have been obvious to a person of ordinary 
skill in the art to use callback functions from security modules as in O'Brien to provide protocol 
inspection in the system of Williams, One of ordinary skill in the art would have been motivated 
to do this because callback functions allow the security modules to communicate with the user 
space so that security information that is application and resource specific which would reduce 
the damage that malicious software can cause in the event that malicious software is accidentally 
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executed without additional hardware, or modification to the individual software applications or 
the underlying operating system. 

In reference to claims 30, 37, 42, 47^ wherein each said at least one inspection module 
and new inspection module are each further configured to indicate to said firewall core for which 
protocol for data packets said inspection module is configured to provide inspection (column 7 
lines 29-47 in combination with column 6 lines 1-6). 

In reference to claims 31 and 34, wherein each data packet intercepted by said firewall 
core further includes session information comprising address and port data (column 5 line 60 to 
column 6 line 6), the firewall core further configured to map said session information for each 
said data packet to one of said at least one inspection modules and the new inspection module 
(column 7 lines 35-47). 

In reference to claim 33, wherein said communication unit further configured to intercept 
network data communicated via each of said plurality of communication interfaces (Fig, 2). 

In reference to claims 35, 38, 41, and 45, wherein said communication unit is further 
configured to communicate a packet between said communication interface and one of said at 
least one inspection modules (Fig. 2). 

In reference to claims 40, and 44, further comprising enabling said inspection module, 
prior to communicating said set of callback fianction to said firewall core. The new information 
is used to filter packets therefore the new rules, provided by the security device, are in an 
enabled state similar to the state of the principle device. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Paula W. Klimach whose telephone number is (571) 272-3854. 
The examiner can normally be reached on Mon to Thr 9:30 a m to 5:30 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto,gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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Tuesday, December 20, 2005 




